Share

After massive email leak, the city scrambles

Last summer, a man named Matthew Chapman did what researchers, reporters, lawyers and others do thousands of times a year: He filed a public disclosure request with the City of Seattle. He wanted records of emails sent and received by employees of the city, but not necessarily the emails themselves.

An employee at the city's Department of Information Technology sent a routine acknowledgment of the request. But somewhere between when the request came in and the information went out, something went very wrong. Instead of the surface-level records to map the movement of emails, Chapman received the first 255 characters of every city email, as well as the subjects and headers, over a two-month period, totaling over 32 gigabytes of information. (Based on standard Lexis Nexis calculations, that size of release would be expected to contain more than 3 million full-length emails.)

The mistake came at a time when the integration of city tech functions into the sprawling Information Technology department was already under severe question from other parts of city government, over whether it was well led or even able to handle the needs of other departments. This summer, city Chief Technology Officer Michael Mattmiller, the department's director, acknowledged to Crosscut that a survey among employees citywide showed significant dissatisfaction but promised that good results in the transition to a single department for technology would soon become apparent. The integration of tech services under the department was a signature cause of recently resigned Mayor Ed Murray.

Of the email release, the city’s Chief Privacy Officer Ginger Armbruster has only characterized the issue as “human error,” and she said that she didn't have more information than that. One employee who spoke to Crosscut on the condition of anonymity said the story going around is someone went on vacation and whoever filled in made the mistake; Armbruster said she didn’t know about any such personnel changes.

Regardless, none of the information went through the standard redaction process typical of email releases, all but guaranteeing that some confidential information or other communications normally protected under public records laws was provided to Chapman. “If you had cops talking about polygraph results, if you had HR investigations, or even complaints against Mattmiller, that’s all in there,” said the employee. Attorney-client privilege, a sacrosanct concept in the legal world, was almost inevitably put into jeopardy, since the dump of emails included not just the police and city attorney's offices but also any employees working on issues that may involve litigation.

In something of a best-case scenario for the city, Chapman apparently noticed something was off when he received the release and, rather than exploiting the unexpected data in some way, notified the IT department. A city employee reportedly then tipped KIRO 7 news.

Nevertheless, the disclosure sent a whole team of lawyers within the City Attorney’s Office, with the help of outside counsel, scrambling to lay a boom around the leak, including getting the requester to sign an affidavit swearing he would destroy the emails’ contents.

A spokesperson from the office said, “The Seattle City Attorney’s Office played a vital role in minimizing the potential impact of the inadvertent email release. The incident has been the top priority for the City Attorney’s Office public records team since the incident was discovered on Sept. 1, 2017."

That work continues today, as lawyers coach the IT department in better development of "training and protocols around public records disclosure to minimize the risk of reoccurrence.”

Privacy Officer Armbruster could not say what the department is doing, exactly, to change its policies. “We haven’t had a chance to really delve into it, we just know that somebody did it,” she said. In a statement, the IT department said, “The City is also reviewing its procedures and protocols for responding to public disclosure requests, and making changes to those policies and procedures to reduce the likelihood that this situation happens again.”

As those efforts go on, several employees of the IT department, who spoke to Crosscut on the condition of anonymity, say they are not comforted. Amid the rampant dissatisfaction among employees, the incident — despite the assurances that it was a onetime event — is interpreted by employees as a microcosm of IT's larger issues and not helping Mattmiller's efforts at a course correction.

While they understand that the release of the emails may have been the result of human error, some wonder how it could have ever gotten to that point and what training and protocols were in place to begin with.

To underline their point, employees were quick to offer other security issues not directly related to the release, but, when combined with the most recent mistake, further the impression for them that important issues are not being taken seriously: One employee said, for at least a year, both the Seattle Police Department and the City Attorney’s Office have raised concerns about the security of their communications and have asked for better means to transfer sensitive information, without any apparent luck. And two employees told Crosscut the department is not archiving emails properly, which means many years of communications are sitting in people’s inboxes. That can make searching for specific records time-consuming and expensive and also leave large amounts of information exposed in the event of a breach.

All of this comes on the heels of an executive order, issued by Bruce Harrell during his five days as interim mayor, directing Chief Technology Officer Mattmiller to “assess the risks related to the management, sharing and protection of data under the control of or supported by the Seattle Information Technology Department on behalf of the City,” including “how data in response to public records is provided.” The report is due Nov. 15. Harrell issued the order before any word of the email disclosure.

The Seattle IT department is a new spinoff of the old Department of Information and Technology (DOIT). Its purpose is to consolidate all of the city’s IT functions, moving employees and infrastructure out of the individual departments and into one space, under one director in Mattmiller. The consolidation, which has grown the department from around 200 to around 600 employees, is about halfway through its three-year timeline.

The goal is to reduce inefficiencies and improve communication in the city’s IT departments. But the transition has never been smooth. From the beginning, the consolidation was met with skepticism. The police department, in particular, was very hesitant, according to one former police department employee. The reticence is reflected in extensive back and forth negotiations between SPD leadership and the IT department over which employees SPD could keep and who they had to turn over to IT, played out in emails obtained through a public records request. The emails show great concern about whether there was a proper plan in place.

“Don’t know if they thought thru the issue of the talent they are going to lose when some of our IT employees find out they are no longer SPD employees,” former Chief Operating Office Mike Wagers wrote in an August 2015 email to Chief Kathleen O’Toole. “Some, not all, came to work for the SPD because of the purpose and mission, like sworn [officers] do. This is not an inconsequential point. … What if we started reassigning officers to another city department, like Fire. Said hey, it’s still public safety and this is about best practices, creating efficiencies, creating standards, improving service delivery, etc.”

Police leadership continues to have concerns, with some officials recently speaking openly near reporters in a courtroom about how difficult IT has been to work with.

Since Crosscut published its article on dissatisfaction in the department, IT’s leadership team set up occasional “lunch and learns” where employees are invited to eat lunch and communicate to management questions and concerns. Following publication, one employee said, “It took a while but it feels like the article has had some positive impact.”

But if there’s been progress among employee morale, it’s not evident in the wake of the leak. "I have no explanation for the level of batshit crazy in this place," said one employee, when asked about the breach. "Nobody at the top knows what they are doing."

“This is the perfect example, again,” said another employee. “Instead of focusing on what the issue is … it’s being deflected.”

And yet another suspected the department is “woefully underplaying the significance of the potential privacy breach.”

Both the city and the state pride themselves on their transparency and willingness to provide records. Although response time often drags, the content of public records subject to requests is liberal, at least compared to some states.

But there are exemptions to what is subject to disclosure, including information about ongoing law enforcement investigations, personal contact information, communications between client and attorney, and many more. When someone requests emails that include an outside third party — like a private vendor or contractor, for example — the city notifies that person and offers them an opportunity to contest the release of the emails. At least one vendor has taken the city to federal court to prevent information about its product from being released, arguing the information was proprietary.

A spokesperson for the IT department said that, in the wake of the email release, they've set up a hotline for people to call in with concerns, and so far no one has.

However, one employee told Crosscut there were likely several emails detailing an internal complaint against Mattmiller, one of which would have almost certainly been withheld during a normal release of records.

The buffer against potential legal and administrative chaos in this scenario is only that Chapman has turned out to be, as Armbruster described him, a "good Samaritan." Efforts to track down Chapman were not successful; Crosscut contacted several Matthew Chapmans who denied being the requester. But Chapman has been willing to work with the city in the damage-containment effort spearheaded by the City Attorney's Office.

"Our attorneys and outside counsel worked with the requester to obtain a signed affidavit attesting to the destruction of all records thereby decreasing the risk of further disclosure of any sensitive records, or the potential for waiver of attorney-client privilege," the statement from the City Attorney's spokesperson said. "We are continuing to advise City departments regarding compliance with any other federal regulatory requirements and contractual obligations related to the incident. Finally, our public records staff continues to be engaged in developing training and protocols around public records disclosure to minimize the risk of reoccurrence.”